Is anshumanbh/securevibes-scanner safe?

https://github.com/openclaw/skills/tree/main/skills/anshumanbh/securevibes-scanner

77
CAUTION

SecureVibes Scanner is a legitimate AI-powered security scanning tool whose audited files (SKILL.md and scan.sh) show no signs of malicious intent — the shell wrapper implements solid input validation and the skill description contains no injection patterns. The primary risk is architectural: the core runtime is an unaudited third-party PyPI package (securevibes) that executes with full user permissions, inherits ANTHROPIC_API_KEY and all environment credentials, and processes entire codebases through the Anthropic API. Users should independently audit the securevibes PyPI package and pin to a specific verified version before deployment.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 62/100 · 25%
Code Execution 68/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 68/100 · 5%

Findings (12)

HIGH Core runtime is unaudited third-party PyPI package -32

The skill's entire security analysis pipeline is delivered through 'pip install securevibes>=0.3.0'. This package is not included in the audited skill files and cannot be inspected here. When installed and invoked, it runs as the user with full access to the filesystem, environment variables, and network. A malicious or supply-chain-compromised version of this package could silently exfiltrate data, call arbitrary endpoints, or perform unauthorized actions, and this would not be detectable from the skill files alone.

HIGH ANTHROPIC_API_KEY exposed to unaudited pip runtime -20

The skill requires ANTHROPIC_API_KEY as a mandatory environment variable. The securevibes subprocess inherits the full shell environment and therefore has unrestricted access to this key. A malicious or compromised version of the package could exfiltrate the API key to an attacker-controlled endpoint, enabling unauthorized use of the user's Anthropic account and all associated usage costs and data access.

MEDIUM Codebase contents (including secrets) read and transmitted through unaudited channel -18

The securevibes assessment and code-review phases read source files across the scanned directory and transmit their contents to the Anthropic API for analysis. If the target repository contains .env files, hardcoded credentials, private keys, or other secrets (a common reason to run a security scanner), these are processed by the unaudited pip package before reaching the API. The package controls what is sent and to where.

MEDIUM DAST mode enables active network scanning of arbitrary URLs -15

The --dast flag instructs securevibes to make active HTTP/S requests to a caller-supplied --target-url. While SKILL.md warns to only target apps the user owns, an agent manipulated through prompt injection or instruction confusion could invoke this against third-party systems, constituting unauthorized penetration testing. The warning is documentation only — there is no enforcement mechanism.

LOW Runtime scan network behavior unmonitored in this audit -10

Network monitoring captured only the git clone phase (traffic to GitHub). The actual network behavior of the securevibes package during a live scan — including what it sends to the Anthropic API, whether it contacts any telemetry endpoints, or what data it includes in API requests — was not captured. Installation-phase cleanliness does not guarantee runtime cleanliness.

LOW scan.sh passes unvalidated extra arguments to securevibes -10

The scan.sh wrapper validates PROJECT_PATH against shell metacharacters and resolves it with realpath. However, all remaining positional arguments ($@) are passed directly to 'securevibes scan' without any validation. While quoting prevents shell injection, securevibes may accept flags like --output that write files to arbitrary filesystem locations, or --model flags that invoke unintended API models at user expense.

LOW --force suppresses all confirmation prompts across command mappings -8

Every command mapping in the SKILL.md reference table includes --force, which bypasses all interactive prompts and silently overwrites existing .securevibes/ artifacts. This means the agent can never pause to confirm before overwriting previous scan results, making it impossible to compare or preserve historical scan data through normal usage.

LOW 45-minute background execution provides extended unobserved window -7

The recommended background execution model sets a 45-minute timeout (timeoutSeconds: 2700) and uses sessionTarget: isolated. During this window, the unaudited securevibes package operates autonomously without direct user observation, increasing the opportunity for any unintended behavior to go unnoticed.

LOW Background execution instructs unattended git pull and artifact cleanup -7

The background execution template instructs the subagent to git pull latest code and clean previous .securevibes/ artifacts before scanning. This means the skill modifies the target repository's working tree and destroys prior scan evidence without user confirmation as part of normal operation.

INFO All honeypot files intact — no exfiltration detected 0

Honeypot files placed at standard credential locations were not accessed or modified by the skill during the installation phase. The canary integrity check passed cleanly.

INFO Clean installation — only GitHub traffic observed 0

The git clone and sparse checkout of the skill directory produced only expected network traffic: DNS resolution and HTTPS to GitHub (140.82.121.3). No connections to pypi.org, securevibes.ai, or any third-party analytics endpoints were observed during installation.

INFO SKILL.md contains no injection patterns 0

Full review of SKILL.md found no hidden unicode characters, HTML comments, invisible text, override instructions, ignore-previous-instructions patterns, persona-switching directives, or encoding tricks. The skill description accurately reflects its stated functionality.